Data Protection Notice
Version 1.0 – December 22, 2025
The protection of your personal data is important to us. According to the EU General Data Protection Regulation (GDPR) and the German Datenschutzgrundverordnung (German Federal Data Protection Regulation, DSGVO), we are obliged to inform you about the purpose for which Least Authority TFA GmbH or any of Least Authority’s affiliates (“Least Authority”, “we”, “us”) collects, stores or passes on your data. This data protection notice also informs you what rights you have with regard to data protection.
I. Data Controller
The Data Controller of Least Authority is Least Authority TFA GmbH, Thaerstraße 28A, 10249 Berlin, Germany and can be contacted via email under contactus@leastauthority.com or privacy@leastauthority.com.
II. Categories of Personal Data
In order to establish and perform our contractual relationship, we process the the following categories of personal data:
- Identification data (e.g., name, organization),
- Contact details (e.g., email address, postal address, telephone number),
- Contractual and billing information,
- Other data voluntarily provided during communication or service delivery,
- Additional information required to fulfill the contractual relationship.
Personal data is generally collected directly from you. To the extent personal data is provided to us indirectly—e.g., when you share contact details of your employees or representatives — this information is provided pursuant to Article 14 GDPR.
III. Purpose and Legal Basis for Processing
These personal data will be collected and processed for the following reasons:
- To establish, execute or terminate our contractual relationship,
- To provide and manage our services,
- To maintain business relationships and communication,
- For billing and accounting purposes,
- To comply with legal obligations,
- For marketing communications (where applicable),
- To settle or enforce any claims arising from the contractual relationship.
The data processing is necessary for the performance of a contract (Article 6 para. 1 (b) GDPR), for compliance with legal obligations (Article 6 para. 1 (c) GDPR), or for the purposes of the legitimate interests such as initiating, establishing, administering, or terminating a contractual relationship and fulfilling mutual obligations arising therefrom (Article 6 (1) (f) GDPR).
If processing involves special categories of personal data within the meaning of Article 9 GDPR, such processing will take place only under the conditions set out in Article 9 (2) GDPR.
IV. Source of the Data
If personal data has not been obtained directly from you, it may have been received from:
- Your employer or organization (if you are a contact person),
- Publicly available sources (e.g., company websites, professional directories),
- Service providers or partners assisting in our operations.
V. Storage Period of Personal Data
We only store your personal data for as long as it is necessary to fulfill the purpose for which it was collected or to comply with legal obligations. Your personal data will be deleted as soon as they are not required anymore and after expiry of the applicable legally binding retention obligations. For example, the data required under commercial and tax law, we store for the legally specified periods, usually ten years (see Section 257 HGB, Section 147 AO). Other regulations may result in longer retention periods.
The provision of your personal data is necessary to enter into and perform the contractual relationship. Without this data, we may not be able to provide our services.
VI. Recipients or Categories of Recipients
We may share data with:
- Our employees and contractors involved in service delivery,
- Professional advisors (e.g., auditors, legal counsel),
- IT and hosting providers under data processing agreements,
- Regulatory or public authorities when legally required.
We do not sell or otherwise disclose personal data for commercial purposes.
VII. Forwarding Data to Third Parties
We only transfer personal data to third parties if this is permitted by law or if you have given your consent. Recipients of your personal data may include companies that have a business relationship with us and support the performance of our services. If a transfer of data takes place, we always take into account the technical and organizational measures of the recipients in accordance with Article 32 GDPR. Our service providers have a legal obligation to ensure compliance with all data protection rules, and they are usually also bound by further contractual provisions on data protection.
VIII. Forwarding Data to Third Countries
We may also transfer your data to recipients outside the EU. We only do this in accordance with the legal requirements for transfers to third countries. So, we only process or have the data processed in third countries when it is ensured that the third country or the recipient of the data in the third country guarantees an adequate level of data protection according to Art. 44 to 49 GDPR and no compelling interest prevents the data transfer. This may take the form of an “adequacy decision” of the European Commission which ensures that an adequate level of data protections has been ascertained overall for a certain third country. Alternatively, we can also transfer data on the basis of EU standard contractual clauses. Information on EU standard contractual clauses can be found here, and information on adequacy decisions here.
IX. Rights of Data Subjects
You have the following rights under the GDPR:
- The right to obtain information under Article 15 GDPR,
- The right to rectification under Article 16 GDPR,
- The right to erasure under Article 17 GDPR,
- The right to restriction of processing under Article 18 GDPR,
- The right to object under Article 21 GDPR, and
- The right to data portability under Article 20 GDPR.
The restrictions under sections 34 and 35 Federal Data Protection Act (BDSG) apply to the right to information and the right to erasure.
Your data is processed on the basis of legal regulations. If the legal base for data processing is your consent, you can revoke your consent once given to us at any time. As a result, we stop the data processing based on this consent in the future (Art. 7 para. 3 GDPR).
If we process your data pursuant to a legitimate interest or a legitimate interest of a third party (Art. 6 para. 1 (f) GDPR), you can exercise your right to objections provided there are grounds relating to the particular situation of the data subject in accordance with Art. 21 GDPR. Please direct any such request to privacy@leastauthority.com.
You have the right to lodge a complaint with the competent data protection supervisory authority (Art. 77 GDPR). The supervisory authority responsible for Berlin, Germany is: Berliner Beauftragte für Datenschutz und Informationsfreiheit, with its address Friedrichstr. 219, 10969 Berlin, Germany, and its phone: 030/138 89-0. Please find its homepage here.
X. Automated Decision-Making
We do not use personal data for automated decision-making or profiling within the meaning of Article 22 GDPR.
XI. Further Information
Further information about data processing can be found in our Data Protection Declaration on our webpage.
Version 1.0 – December 22, 2025